Is Gameover Zeus making a comeback?


by Jimmy Nicholls| 11 July 2014

International police warned us it would.

Cyber criminals are trying to resurrect the Gameover Zeus virus more than a month after its distribution botnet was taken down by international police, according the Malcovery Security.

Victims are said to be infected through spam email attachments pretending to be from banks, with NatWest and M&T among those being impersonated.

Brendan Griffin and Gary Warner, both of Malcovery, said: "This discovery indicates that the criminals responsible for Gameover's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takedowns in history."

Once installed the malware attempts to make contact with a command and control (C&C) server, which then sends instructions on how to proceed.

According to the security firm the domain generation algorithm used to regain access to the botnet "bears a striking resemblance" to that used by the original Gameover Zeus (GOZeuS) trojan, though the two are not directly related.

"Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing," Griffin and Warner said.

They added that other sandboxes would not have noticed a successful connection, owing to the six to 10 minutes taken to generate the domain name used to launch the trojan.

In a twist from the original peer-to-peer infrastructure the criminals are using fast flux hosting, which uses proxy redirection to make botnets more resistant to takedowns.

Contacted by the security firm, the FBI and Dell claimed the original Gameover Zeus botnet was still disabled.

Source: Company Press Release

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

777 people like this.
2113 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.